Scribd Logo
Upload

Welcome to Scribd!

  • 42 views

    Big-Ip Asm Comprehensive: Application Security

    Uploaded by

    Luis Diaz
    1) Traditional network security devices are limited in protecting applications from attacks, with web application firewalls (WAFs) like BIG-IP ASM providing more comprehensive protection against a wide range of threats focused at the application layer. 2) BIG-IP ASM protects applications from the OWASP top 10 vulnerabilities like injection attacks, XSS, CSRF, and more, while also detecting and mitigating DDoS attacks and helping to meet PCI compliance. 3) The solution provides visibility into attacks and application performance through reporting on vulnerabilities, security incidents, and server latency.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Big-Ip Asm Comprehensive: Application Security

    Uploaded by

    Luis Diaz
    42 views17 pages
    1) Traditional network security devices are limited in protecting applications from attacks, with web application firewalls (WAFs) like BIG-IP ASM providing more comprehensive protection against a wide range of threats focused at the application layer. 2) BIG-IP ASM protects applications from the OWASP top 10 vulnerabilities like injection attacks, XSS, CSRF, and more, while also detecting and mitigating DDoS attacks and helping to meet PCI compliance. 3) The solution provides visibility into attacks and application performance through reporting on vulnerabilities, security incidents, and server latency.

    Original Title

    asmcustomerpresentation.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    1) Traditional network security devices are limited in protecting applications from attacks, with web application firewalls (WAFs) like BIG-IP ASM providing more comprehensive protection against a wide range of threats focused at the application layer. 2) BIG-IP ASM protects applications from the OWASP top 10 vulnerabilities like injection attacks, XSS, CSRF, and more, while also detecting and mitigating DDoS attacks and helping to meet PCI compliance. 3) The solution provides visibility into attacks and application performance through reporting on vulnerabilities, security incidents, and server latency.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    42 views17 pages

    Big-Ip Asm Comprehensive: Application Security

    Uploaded by

    Luis Diaz
    1) Traditional network security devices are limited in protecting applications from attacks, with web application firewalls (WAFs) like BIG-IP ASM providing more comprehensive protection against a wide range of threats focused at the application layer. 2) BIG-IP ASM protects applications from the OWASP top 10 vulnerabilities like injection attacks, XSS, CSRF, and more, while also detecting and mitigating DDoS attacks and helping to meet PCI compliance. 3) The solution provides visibility into attacks and application performance through reporting on vulnerabilities, security incidents, and server latency.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 17

    1

    BIG-IP ASM
    Comprehensive Application Security

    Presenter
    2

    Attacks are Moving “Up the Stack”

    Network Threats Application Threats

    90% of security 75% of attacks focused


    investment focused here here

    Source: Gartner
    3

    Almost every web application is vulnerable!

    • “97% of websites at immediate risk of being hacked due to


    vulnerabilites!
    69% of vulnerabilities are client side-attacks”
    - Web Application Security Consortium

    • “8 out of 10 websites vulnerable to attack”


    - WhiteHat “security report ”

    • “75 percent of hacks happen at the application.”


    - Gartner “Security at the Application Level”

    • “64 percent of developers are not confident in their ability to


    write secure applications.”
    - Microsoft Developer Research
    4

    Figure 2 and 5: 10th Website Security Statistics Report (Q3 2010)


    5

    How long to resolve a vulnerability?

    Website Security Statistics Report


    6

    Developers are asked to do the impractical...

    Application
    Security? Application
    Patching

    Application Application
    Development Scalability

    Application
    Performance
    7

    Who is responsible for application


    security?

    Web developers?

    Network Security?

    Engineering services?

    DBA?
    8

    Traditional Security Devices vs. WAF


    Network IPS ASM
    Firewall
    Known Web Worms Limited  
    Unknown Web Worms X Limited 
    Known Web Vulnerabilities Limited Partial 
    Unknown Web Vulnerabilities X Limited 
    Illegal Access to Web-server files Limited X 
    Forceful Browsing X X 
    File/Directory Enumerations X Limited 
    Buffer Overflow Limited Limited 
    Cross-Site Scripting Limited Limited 
    SQL/OS Injection X Limited 
    Cookie Poisoning X X 
    Hidden-Field Manipulation X X 
    Parameter Tampering X X 
    Layer 7 DoS Attacks X X 
    Brute Force Login Attacks X X 
    App. Security and Acceleration X X 
    9

    Web Application Firewall - ASM

    Intelligent Client Network Plumbing Application Infrastructure Application

    Buffer Overflow DDOS Brute Force


    Cross-Site Scripting
    SQL/OS Injection Error Messages
    Cookie Poisoning HTTP/S Traffic Non-compliant Content
    Hidden-Field Manipulation Credit Card / SSN data
    Application DoS Attacks Server Fingerprints

    IPS App
    User Firewall
    App
    VPN
    Firewall
    IDS-IDP
    Anti-Virus
    10

    Leading web attack protection


    BIG-IP Application Security Manager

    Users

    o Protect from latest web threats


    o Out-of-the box deployment
    Web Application o Meeting PCI compliance
    Security o Quickly resolve vulnerabilities
    o Improve site performance

    Web Applications

    Private Public

    Physical Virtual Multi-Site DCs Cloud


    11

    Automatic DOS Attack Detection and


    Protection
    o Accurate detection technique – based on latency
    o 3 different mitigation techniques escalated serially
    o Focus on higher value productivity while automatic controls intervene

    Detect a DOS
    condition

    Identify potential
    attackers

    Drop only the


    attackers
    12

    PCI Compliance Reporting

    PCI DSS reporting:


    • Details security measures required
    • Compliancy state
    • Steps to become compliant
    13

    Protection from all of the top vulnerabilities


    • OWASP Top 10 Web Application Security Risks:
    – A1: Injection
    – A2: Cross-Site Scripting (XSS)
    – A3: Broken Authentication and Session Management
    – A4: Insecure Direct Object References
    – A5: Cross-Site Request Forgery (CSRF)
    – A6: Security Misconfiguration
    – A7: Insecure Cryptographic Storage
    – A8: Failure to Restrict URL Access
    – A9: Insufficient Transport Layer Protection
    – A10: Unvalidated Redirects and Forwards
    14

    Example: OWASP Top 5 - CSRF Attack

    CSRF Attack example


    1. Mobile user logs in to a
    trusted site
    Trusted Web
    2. Session is authenticated
    Encrypted Site
    Trusted Action
    3. User opens a new tab e.g.,
    chat
    4. Hacker embeds a request in
    the chat
    5. The trusted link asks the
    browser to send a request to
    the hacked site
    15

    Reporting
    16

    Application visibility and reporting


    Monitor URIs for server latency

    • Troubleshoot server code that causes latency

    You might also like